From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tobias Geerinckx-Rice <me@tobias.gr>
Subject: Re: native-inputs ending up as run-time references [was: ISO image
	available for testing!]
Date: Wed, 6 Dec 2017 03:16:45 +0100
Message-ID: <c987f8d4-81ca-c19d-3435-40abf2498577@tobias.gr>
References: <877f16z9eo.fsf@gnu.org> <87infv54m3.fsf@gnu.org>
	<87efqgnn7x.fsf@elephly.net> <878teo59tb.fsf@gnu.org>
	<20171201183042.GB2504@jasmine.lan> <87tvxadz11.fsf@elephly.net>
	<87lgiirhsf.fsf_-_@gnu.org> <874lp618iy.fsf@cbaines.net>
	<87shcoaj2w.fsf@gnu.org> <87bmjcvft3.fsf@netris.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53005)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <me@tobias.gr>) id 1eMPE5-0008BO-VD
	for guix-devel@gnu.org; Tue, 05 Dec 2017 21:14:22 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <me@tobias.gr>) id 1eMPE4-0007Tv-UD
	for guix-devel@gnu.org; Tue, 05 Dec 2017 21:14:21 -0500
In-Reply-To: <87bmjcvft3.fsf@netris.org>
Content-Language: en-GB
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: ludo@gnu.org, mhw@netris.org
Cc: guix-devel@gnu.org

Mark!
Ludovic!

Mark H Weaver wrote on 06/12/17 at 01:52:
> ludo@gnu.org (Ludovic Courtès) writes:
>> Long story short: we were flagging native inputs as potential 
>> sources of grafts even though, by definition, native inputs are
>> not referred to at run time.
> 
> I agree that this *should* never happen, but I see little reason for 
> confidence that it never happens in actual fact.

Hold on. I thought this happened *all the actual time*.

To me, the output of ‘guix graph’ implies that ghc[*] refers directly to
perl, and ghc-haddock-library to hspec-discover, and that both of those
are native inputs.

These are just the first two examples of packages with native inputs
that I happened to pull out of my haskell.scm. While Haskell does seem
particularly naughty, I've no reason to believe it's unique.

Are these not ‘run-time references’? Is your use of the term narrower
than mine?

> One solution would be to explicitly check build outputs for 
> references to native-inputs, and to force a build failure in that 
> case.

I was surprised to learn this was not already the case (before I started
slowly dragging hissing Haskell packages into the present). I suggest we
don't make any security assumptions about it until it is.

Kind regards,

T G-R